nit: shouldn't this be labelled feat! instead of chore! so that it's pick-uped by the release notes? It's really frustrating to look at git diff what has really happened between releases.. especially if something so important happens 😬

Makes sense! I was just thinking that this change is not "valuable" enough to be called feature, but this is subjective.

You could also call it fix! or include chore! in the release notes templates :) in the end I'm open for all options.. just no information is bad imho

Let's use this as example #21711 I had to bisect the last releases to check if this commit was released in there because it wasn't mentioned 😬

I don't really understand why these additions are needed after removing authenticated() from Vaadin web security. This SecurityConfig is not based on Vaadin class so how changes there affect this configuration...Main question how it worked before

After removing authenticated() request matcher, flow's access control is not called unless navigation happens via Flow API (e.g. from menu). Flow should apply authenticated() request matcher for flow routes annotated with PermitAll or RolesAllowed automatically. This needs an update in VaadinSecurityConfigurer and VaadinWebSecurity.
AnonymousAllowed has a request matcher already. DenyAll should work already since access is denied by default.

I've updated PR to do this now, but it might still need to also check parent layout annotations too.

Added check for parent layouts and auto-layout.

I'm wondering if this should only be done if enableNavigationAccessControl returns true. I don't wanna use your access control annotations in my application - wouldn't this require me to add them? (see your test where you had to add @permitAll

This wouldn't require you to add them. but if you do add them, then they are noticed automatically by this request matcher.
You can also disable all default configuration of authorized requests (including this whole customizeAuthorizeHttpRequests method) with enableAuthorizedRequestsConfiguration set to false.

Oh, and as isAuthenticatedRoute is not actually calling navigation access control, we don't need to check enableNavigationAccessControl here.

I think this method should also use NavigationAccessControl (if enabled) to determine if the route requires authentication. I'd say that at the very end it should return true if the NAC decision is DENY or REJECT.
This would take into account out-of-the-box AnnotatedViewAccessChecker (if used, since checkers can be disabled) and custom access checker as well.

We can probably simplify this by removing this annotation check and return true here if it's flow view. Then all flow views will go through access control in the end. Just need to test this once more.

And let's rename the method.

Makes sense, given that anonymous routes are already allowed before.
However, I think that the check should return true only if NAC is enabled, otherwise we cannot be sure if the view should be protected or not.

Updated.